diff options
| -rw-r--r-- | freeipa.spec.in | 6 | ||||
| -rw-r--r-- | install/Makefile.am | 3 | ||||
| -rw-r--r-- | install/conf/ipa.conf | 2 | ||||
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 103 | ||||
| -rw-r--r-- | ipapython/dogtag.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 49 | ||||
| -rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.fc | 3 |
7 files changed, 146 insertions, 24 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 7c8314a04..cc27ffe43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -397,6 +397,7 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade +mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish mkdir %{buildroot}%{_usr}/share/ipa/html/ ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \ %{buildroot}%{_usr}/share/ipa/html/ffconfig.js @@ -694,6 +695,8 @@ fi %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish %dir %{_localstatedir}/cache/ipa %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so @@ -783,6 +786,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Mon Oct 8 2012 Martin Kosek <mkosek@redhat.com> - 2.99.0-48 +- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca + * Mon Oct 1 2012 Martin Kosek <mkosek@redhat.com> - 2.99.0-47 - Require samba packages instead of samba4 packages obsoleted in Fedora 18 and later - Add libwbclient-devel BuildRequires to pick up libwbclient.h on Fedora 18 and later diff --git a/install/Makefile.am b/install/Makefile.am index 184855e64..361318526 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -25,6 +25,9 @@ install-exec-local: chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade mkdir -p $(DESTDIR)$(localstatedir)/cache/ipa/sessions chmod 700 $(DESTDIR)$(localstatedir)/cache/ipa/sessions + mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish + chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca + chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish uninstall-local: -rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 5cd1d8c59..d3f3446b0 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 9 - DO NOT REMOVE THIS LINE +# VERSION 10 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 6c0437180..cb2164c0c 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -25,7 +25,7 @@ Upgrade configuration files to a newer template. import sys try: - from ipapython import ipautil, sysrestore, version + from ipapython import ipautil, sysrestore, version, services from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger @@ -44,6 +44,7 @@ try: import re import os import shutil + import pwd import fileinput from ipalib import api import ipalib.errors @@ -281,12 +282,11 @@ def cleanup_kdc(fstore): fstore.untrack_file(filename) root_logger.debug('Uninstalling %s', filename) -def upgrade_ipa_profile(realm): +def upgrade_ipa_profile(ca): """ Update the IPA Profile provided by dogtag """ root_logger.info('[Verifying that CA service certificate profile is updated]') - ca = cainstance.CAInstance(realm, certs.NSS_DIR) if ca.is_configured(): if ca.enable_subject_key_identifier(): root_logger.debug('Subject Key Identifier updated, restarting CA') @@ -433,22 +433,23 @@ def named_enable_serial_autoincrement(): return changed -def enable_certificate_renewal(realm): +def enable_certificate_renewal(ca): """ If the CA subsystem certificates are not being tracked for renewal then tell certmonger to start tracking them. + + Returns True when CA needs to be restarted """ - ca = cainstance.CAInstance(realm, certs.NSS_DIR) if not ca.is_configured(): root_logger.debug('dogtag not configured') - return + return False # Using the nickname find the certmonger request_id criteria = (('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),('cert_nickname', 'ipaCert', None)) request_id = certmonger.get_request_id(criteria) if request_id is not None: root_logger.debug('Certificate renewal already configured') - return + return False if not sysupgrade.get_upgrade_state('dogtag', 'renewal_configured'): if ca.is_master(): @@ -459,8 +460,81 @@ def enable_certificate_renewal(realm): ca.configure_agent_renewal() ca.track_servercert() sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) root_logger.debug('CA subsystem certificate renewal enabled') + return True + + return False + +def copy_crl_file(old_path, new_path=None): + """ + Copy CRL to new location, update permissions and SELinux context + """ + if new_path is None: + filename = os.path.basename(old_path) + new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, + filename) + root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) + + if os.path.islink(old_path): + # update symlink to the most most recent CRL file + filename = os.path.basename(os.readlink(old_path)) + realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, + filename) + root_logger.debug('copy_crl_file: Create symlink %s -> %s', + new_path, realpath) + os.symlink(realpath, new_path) + else: + shutil.copy2(old_path, new_path) + pent = pwd.getpwnam(cainstance.PKI_USER) + os.chown(new_path, pent.pw_uid, pent.pw_gid) + + services.restore_context(new_path) + +def migrate_crl_publish_dir(ca): + """ + Move CRL publish dir from /var/lib/pki-ca/publish to IPA controlled tree: + /var/lib/ipa/pki-ca/publish + """ + root_logger.info('[Migrate CRL publish directory]') + if sysupgrade.get_upgrade_state('dogtag', 'moved_crl_publish_dir'): + root_logger.info('CRL tree already moved') + return False + + caconfig = dogtag.configured_constants() + + old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH, + 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', + separator='=') + + if old_publish_dir == caconfig.CRL_PUBLISH_PATH: + # publish dir is already updated + root_logger.info('Publish directory already set to new location') + sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) + return False + + # Prepare target publish dir (permissions, SELinux context) + publishdir = ca.prepare_crl_publish_dir() + + # Copy all CRLs to new directory + root_logger.info('Copy all CRLs to new publish directory') + try: + crl_files = cainstance.get_crl_files(old_publish_dir) + except OSError, e: + root_logger.error('Cannot move CRL files to new directory: %s', e) + else: + for f in crl_files: + try: + copy_crl_file(f) + except Exception, e: + root_logger.error('Cannot move CRL file to new directory: %s', e) + + installutils.set_directive(caconfig.CS_CFG_PATH, + 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', + publishdir, quotes=False, separator='=') + sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) + root_logger.info('CRL publish directory has been migrated, ' + 'request pki-ca restart') + return True def main(): """ @@ -505,6 +579,11 @@ def main(): DOGTAG_PORT=configured_constants.AJP_PORT, ) + + # migrate CRL publish dir before the location in ipa.conf is updated + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca_restart = migrate_crl_publish_dir(ca) + upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) @@ -530,14 +609,18 @@ def main(): pass cleanup_kdc(fstore) - upgrade_ipa_profile(api.env.realm) + upgrade_ipa_profile(ca) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - enable_certificate_renewal(api.env.realm) + ca_restart = ca_restart or enable_certificate_renewal(ca) + + if ca_restart: + root_logger.info('pki-ca configuration changed, restart pki-ca') + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) if __name__ == '__main__': installutils.run_script(main, operation_name='ipa-upgradeconfig') diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 22a5a6d19..3bc9e5d5d 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -54,7 +54,7 @@ class Dogtag10Constants(object): SERVER_ROOT = '/var/lib/pki' PKI_INSTANCE_NAME = 'pki-tomcat' PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT + CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT @@ -78,7 +78,7 @@ class Dogtag9Constants(object): SERVER_ROOT = '/var/lib' PKI_INSTANCE_NAME = 'pki-ca' PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT + CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e08df06a8..c37c261f2 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -48,7 +48,6 @@ import nss.nss as nss from ipapython import ipautil from ipapython import nsslib from ipapython import services as ipaservices -from ipapython import dogtag from ipaserver import ipaldap from ipaserver.install import service @@ -215,6 +214,23 @@ def get_outputList(data): return outputdict +def get_crl_files(path=None): + """ + Traverse dogtag's CRL files in default CRL publish directory or in chosen + target directory. + + @param path Custom target directory + """ + if path is None: + path = dogtag.configured_constants().CRL_PUBLISH_PATH + + files = os.listdir(path) + for f in files: + if f == "MasterCRL.bin": + yield os.path.join(path, f) + elif f.endswith(".der"): + yield os.path.join(path, f) + class CADSInstance(service.Service): def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED) @@ -1161,19 +1177,30 @@ class CAInstance(service.Service): installutils.set_directive(self.dogtag_constants.SIGN_PROFILE, 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + def prepare_crl_publish_dir(self): + """ + Prepare target directory for CRL publishing + + Returns a path to the CRL publishing directory + """ + publishdir = self.dogtag_constants.CRL_PUBLISH_PATH + os.chmod(publishdir, 0775) + pent = pwd.getpwnam(PKI_USER) + os.chown(publishdir, 0, pent.pw_gid) + + ipaservices.restore_context(publishdir) + + return publishdir + def __enable_crl_publish(self): """ Enable file-based CRL publishing and disable LDAP publishing. - http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html + https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html """ caconfig = self.dogtag_constants.CS_CFG_PATH - publishdir = self.dogtag_constants.CRL_PUBLISH_PATH - os.mkdir(publishdir) - os.chmod(publishdir, 0755) - pent = pwd.getpwnam(PKI_USER) - os.chown(publishdir, pent.pw_uid, pent.pw_gid) + publishdir = self.prepare_crl_publish_dir() # Enable file publishing, disable LDAP installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') @@ -1211,8 +1238,6 @@ class CAInstance(service.Service): 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), quotes=False, separator='=') - ipaservices.restore_context(publishdir) - def __set_subject_in_config(self): # dogtag ships with an IPA-specific profile that forces a subject # format. We need to update that template with our base subject @@ -1249,6 +1274,12 @@ class CAInstance(service.Service): installutils.remove_file("/var/lib/certmonger/cas/ca_renewal") + # remove CRL files + root_logger.info("Remove old CRL files") + for f in get_crl_files(): + root_logger.debug("Remove %s", f) + installutils.remove_file(f) + def publish_ca_cert(self, location): args = ["-L", "-n", self.canickname, "-a"] (cert, err, returncode) = self.__run_certutil(args) diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc index 08c5f3190..c3b2adb42 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.fc +++ b/selinux/ipa_dogtag/ipa_dogtag.fc @@ -1,2 +1 @@ -/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) -/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) +/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) |